Very good article over at Dark Reading today about testing PoC exploit code and security tools before you use them in a production environment.
“…how do you know if the PoC (proof of concept) exploit code you downloaded from Milw0rm or Packet Storm includes a backdoor?”
The author also mentions some very good things to consider when planning a pen test and I have added a few of my own:
– Do you need to run the pen test in a production environment? While I think that you should to simulate a real attack..some companies are not comfortable with that. Always be sure to find out and include this in your contract and/or authorization letter.
– Review your toolkit and make sure that you are not using tools and exploits that will cause a DoS or system to crash. Of course systems do crash sometimes which are out of your control (hence the reason you have a authorization to test letter), however, as a pen tester you should be doing everything you can to make sure you don’t purposely crash or DoS systems. I suggest that at least 2-3 times a year your pen test team should meet for a few days and review your toolkit and perform detailed testing of these tools and code.
– Review and test PoC and exploit code before running it in a production environment. I don’t think the client would be too happy if you inadvertently Trojan’d their systems!
– Try to supplement your team tool kit with a commercial tool like Core Impact or Immunity Canvas as these exploits are tested and have options to help ensure a targeted system does not crash.